Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1.
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability exists in shufflehound's Lemmony application versions prior to 1.7.1, allowing unauthenticated attackers to perform unauthorized actions on behalf of legitimate users through crafted web requests. An attacker can exploit this vulnerability to cause integrity and availability impact by forcing a victim's browser to make unwanted requests to the Lemmony application. The attack requires user interaction (clicking a malicious link) but has a low attack complexity and network accessibility, making it a practical threat in multi-user web environments.
Technical ContextAI
This vulnerability is rooted in improper CSRF token validation, classified under CWE-352 (Cross-Site Request Forgery). The Lemmony application, identified via the shufflehound vendor namespace, fails to implement adequate anti-CSRF protections such as synchronizer tokens, same-site cookie attributes, or origin/referer header validation. CSRF vulnerabilities exploit the inherent trust browsers place in authenticated sessions—when a user visits a malicious website while logged into Lemmony, the attacker's injected requests are automatically sent with the user's valid session cookies. The vulnerability affects Lemmony versions from an unspecified baseline through version 1.7.0, with no indication of prior patched versions, suggesting this may be a long-standing design flaw rather than a regression.
RemediationAI
Immediately upgrade Lemmony to version 1.7.1 or later, which addresses the CSRF vulnerability through enhanced token validation and secure cookie handling. This patch is the primary and recommended fix. Until upgrading is feasible, implement compensating controls: enforce HTTPS-only connections to Lemmony (configure strict HTTPS-only policy in the application and reverse proxy), enable and enforce SameSite=Strict or SameSite=Lax cookie attributes on session cookies, implement Content-Security-Policy (CSP) headers to restrict cross-origin form submissions, and educate users to avoid clicking untrusted links while authenticated to Lemmony. Network segmentation and IP whitelisting for Lemmony administrative endpoints provide additional defense-in-depth. Consult the shufflehound vendor security advisory for detailed patch instructions and rollback procedures.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11800